Pacemaker vulnerability and v1.1.9 release
A security vulnerability (CVE-2013-0281) was found on pacemaker which permitted attackers to prevent your cluster from serving more CIB requests. Although this issue was quickly fixed by upstream, they didn't add a new tag to pacemaker so I did ask Andrew Beekhof for one so I could take care of bug #457572. Gentoo users, here comes pacemaker-1.1.9 !
While packaging and testing pacemaker-1.1.9, I ran into some weird permission issues which I debugged with @beekhof and @asalkeld (thx again guys). Turns out that when enabling ACL support on pacemaker, you now need to add root to the haclient group ! The reason is that pacemaker now uses shared memory IPC sockets from libqb to communicate with corosync (on /dev/shm/).
- corosync: Allow cman and corosync 2.0 nodes to use a name other than uname()
- corosync: Use queues to avoid blocking when sending CPG messages
- Drop per-user core directories
- ipc: Compress messages that exceed the configured IPC message limit
- ipc: Use queues to prevent slow clients from blocking the server
- ipc: Use shared memory by default
- lrmd: Support nagios remote monitoring
- lrmd: Pacemaker Remote Daemon for extending pacemaker functionality outside corosync cluster.
- pengine: Check for master/slave resources that are not OCF agents
- pengine: Support a 'requires' resource meta-attribute for controlling whether it needs quorum, fencing or nothing
- pengine: Support for resource container
- pengine: Support resources that require unfencing before start
Since the main focus of the bump was to fix a security issue, I didn't add the new nagios feature to the ebuild. If you're interested in it, just say so and I'll do my best to add it asap.